3 Replies - 1340 Views - Last Post: 03 August 2007 - 06:08 PM

New database attack revealed

Posted 02 August 2007 - 09:56 PM

TechWorld.Com posted an article outlining a new database attack that have been revealed. Unlike attacks in the past, this one doesn't rely on poorly written code on the front end or poorly administered servers to work.

Quote

"The new attack relies solely on the inherent characteristics of the indexing algorithms used by most commercial database management systems," said Core researchers Ariel Waissbein and Pablo Damian Saura in a note on the presentation.

Replies To: New database attack revealed

Re: New database attack revealed

Hmmm...this proposed attack is almost completly theoretical in nature...I would say virtually impossible to implement in the real world. That is a lot of variables to consider.

At the very least, it could be thwarted by a random delay between inserts (as noted by one commenter) - and this is virtually guaranteed to happen any way in any situation in which there is other network traffic.

Re: New database attack revealed

Hmmm...this proposed attack is almost completly theoretical in nature...I would say virtually impossible to implement in the real world. That is a lot of variables to consider.

At the very least, it could be thwarted by a random delay between inserts (as noted by one commenter) - and this is virtually guaranteed to happen any way in any situation in which there is other network traffic.

Though hard to pull off they actually did a demonstration of the attack, meaning they pulled it off. But the random delay between inserts does sound like a plausible defense in my opinion.

Re: New database attack revealed

Posted 03 August 2007 - 06:08 PM

They were able to pull of an attack for the demo because they controlled all aspects, including the db software. Easy to eliminate and manage the peripheral 'noise' to get the timing down if you have access to the logs. One would assume that a malicious individual would be attacking from outside, where they would not have access to such information.